Why SpyEye? 




Or 




Why protect the bot? 



• Protect technology 

• Protect CC channel 

• Protect botmasters 

• Avoid signature creation 







Agenda 



• Quick intro on SpyEye & simple 
anti-reverse 

• More advanced anti-reverse 

• Sophisticated anti-reverse 

• Conclusions 




Or 




SpyEye botnet 



□ 




2fd4520242a846b4a7d0e4ca. 



386e6eac3b23flc36d9d36c8f. 



6428ccbdd 1 e25a98a6b897a2 . 



b97f34389d7el6b2ff9868ael . 



d0b6da864d5e821392749b0d. 



el9a3ee2f2dd73993265f4503. 



e834f 575e05f27e63f3bab95e . 
' '•' AHTHEHpycHafl y-m/iHTa AVZ 



T] 



96c687d8181ea924d4b817c2. 



3146a4c2b351fea8ae827142. 



15078bed7157cl27fclbde912. 




& 





□ 

e88cd62070c4663b549b25fT7. 
\±-~ Microsoft Clean5weep 
J Microsoft Corporation 



C92ba6ce203e4ff492c22ed6a. 



d64ca 1 526 1 c53279a72886 1 6 . 



HijackThis 
Trend Micro Inc. 



3303f2b964fc6025de41e< 



268711 184 178f0c444e44 



cebe3a3c6c54795dbebd6 
BASH Custom Action 

5ynidiiLeL CurpurdLiui i 



e2c81c4a376bl6ca4aed9 



I e652cllbl59e6dd0a3b4> 
L5JI ACPI Host 





el467b03959d771u726d9d05. 



i B ^ | Microsoft 



ef24131db9e8ec83e551c 



SpyEye bot- infection process 
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User clicks on installer 






▼ 






Installer injects threads 


^ 




^ 




¥ 






Threads protect installer 






i 










Install 


er gets execu 


ted during boot-up 






SpyEye bot - threads operating 



Receive initial configuration 



Check-in into CC server 



T 



C A 




-rf 


iencl rcp^i l 


^ 


^ 


t 








KSCSIVS 


^■i yci ^ 





C ER T 



Protecting the bot. 





Simple anti-reverse tricks 



Rouge int3 
Junk opcode 
Timing analysis 
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processes 

• Obtaining list 

of processes 

• Standard procedure 
(Process Explorer) 

Or 


















proceHp.eiM 






*■' Process Explorer - Sysinternals: w ww .sysi 




Module Name 


Imports 


File Options View Process Find Users Help 




0008E5F4 


N/A 




JBI H| SB HBltf *|M 


szAnsi 


(nFunctions) 


Process 


pid| 




W52_32.dll 


7 




Ell^smss.exe 


37G 
524 
548 




MPR.dll 


1 




| usrss.exe 

B H winlogon.exe 




COMCTL32.dll 


10 


bHB^^H 




VER5I0N.dll 


3 


l~1svchost.exe 

^ svchost.exe 

El [^ svchost.exe 


8G8 

958 

1048 


KERNEL32.dll 


| 162 




U5ER32.dll 


146 




^ wscntfy.exe 


1836 


GDI32.dll 


38 


^ svchost.exe 


1112 
1152 
1604 
1260 
672 


COMDLG32.dll 


6 


— lsvcnost.exe 
[^ spoolsv.exe 
F^alg.exe 


SHELL32.dll 


8 


ole32.dll 


3 




^ lsass.exe 


OLEAUT32.dll 


10 


jxplorer.exe 
^ ctfmon.exe 
%idag.exe 


1576 
1724 


OFTs 


FTs (IAT) 


Hint 


CPU Usage : 1 . 64% |Commit Charge : 39 . 1 4% |Prc 


0008DA0C 


0007E914 


0008DF2A 


0003DF2C 


Dword 


Dword 


Word 


szAnsi 


0003F95C 


0003F95C 


04C1 


TerminateThread 


000SF946 


0003F946 


0511 


WideCharToMultiByte 


0003F92A 


0003F92A 


00BE 


|CreateToolhelp325napshot | 


0003F91A 


0003F91A 


035A 


Module32First 


0003F90C 


0003F90C 


0052 


CloseHandle 












More advanced anti-reverse tricks 

• Name encoding 

• Call-wrapping 
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-text: 
-text: 
.text: 
-text: 
-text: 
-text: 
-text: 
-text: 
-text: 
-text: 
-text: 
-text: 
-text: 



BB4B2CB5 
BB4B2CBH 
B84B2CBC 
88482CC1 
8B482CC4 
884B2CC6 
8B482CC8 
B84B2CC9 
BB4B2CCC 
00I|82CCF 
BB4B2CD2 
88482CD4 
88482CD5 



push 

push 

call 

add 

test 

U 

push 

nou 

push 

push 

call 

pop 

pop 



5BC1D14Fh 

8 

sub_U81E99 

esp, 18h 

eax, eax 

short locret_UB2CE7 

esi 

[ebp+uar_U], esp 

[ebp+arg_U] 

[ebp+arg_0] 

eax 



CreateToolhelp32Snapshot 



ecx 
ecx 



000020BC 



00402CBC: sub 402C9E+1E 



General registers 



n X 



EAX B85947B7 1+ KERNEL32 .dll : 88594767 

EBX 8B88888B 1+ 

ECX B812F474 1+ Stack[ BBBB112C] : BB12F474 

EDX 7C98EB94 1+ ntdll -dll :ntdll_KiFastSystemCallRet 

ESI BBUB15iiE 1+ .text:loc_i|fl15iiE 

EDI 7C889B77 |+ kernel32.dll :kernel32_CloseHandle 

EBP BB12F984 1+ Stack[ BBBB112C] : BB12F98U 

ESP BB12F96C 1+ Stackf 8BBB112C] : BB12F96C 

EIP BBUB2CD2 1+ sub_482C9E+34 

EFL BBBBB2B6 



CF B 
PF 
AF B 
ZF 
SF B 
TF B 
IF 
DF 
DF B 
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Call-wrapping in detail 



. text: 00401ED1 call ucscpy 




^ loc_401B4B . text: 00401B7A call sub_401A98 



,' ^ .text: 00402058 call sub_402477 



=00402083 call dwoEd ptr [ebp-214h] //ntdll_LdrLoadDll 




text:004022A0 call [ebp+var_10] //ntdll_LdrLoadD: 



^ . text: 004020FE call wcscpy 



.text:0040231C call sub_401A98 
\ .text: 00402331 call sub_401A98 
. text:004025BC call [ebp+vaE_C] //keEnel32_Is¥ow64PEOcess 



;v 



.text: 00402113 call wcscat 



\ - teXt: 
\ .text: 



00402130 call sub 401C4E 



004013FC call eax //cEeateHutex 



\_ -text: 



0040140A call sub 401BD2 



. text:00401BEE call sub 4023C3 



Or 



<: 



. text:004023ED call [ebp+var_C] //ntdll_NtUnmapVif 



9 .text:00401BF9 call sub_4023FD 



H 



Call-wrapping in detail 



Or 







i 














set proper permissions 




allocate memory 






I 




I 








decode procedure offset 


decode module filename 








I 






i 








call procedure 






open module file 






I 






i 








unload module 




map view of module 








I 














free memory 
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Sophisticated anti-reversing 
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Patching process memory... 




^]DPCs 
B ^ System 

BQ smssexe 
^] csrss.exe 
B £ winlogon.exe 
- |services.exe 

^ VBoxService.exe 
Qsvchost.exe 
|^ svchost.exe 
- | svchost.exe 

r. L i.^.— - 

h(^idag.exe 

] ' ||e19a3ee2f2dd73993265f.. 
procexp.exe 



PIP | CPLlT Private Bytes Working Set Description 



95G 
1048 
1£3£ 

1112 
IIS 

■ ..: 

im 
ei 

r«4 



OK 
OK 
1G4K 
1 572 K 
7 48SK 
3 492K 
1 232 K 
3 244K 
1940K 
24 784 K 

15Wlt 

iPtt 

320TJE 
1WE 



48 260 K 
7210SK 
G300K 



K Deferred Procedure 

76 K 

84 K Menedzer sesji Win 
1 076 K Client Server Runti ri 
3 1 98 K Aplikacja logowani; 
1 664 K Ustugi i aplikacja K 
1 380 KVirtualBox Guest Ac 
1 55G K Generic Host Proce 
1 700 K Generic Host Proce 

11 823 K Generic Host Proce 
95& K. ''■W't-'ikiw; Secui'ty- t 

1 i"M K I. '.J. i^-K^MHV 

1 Kit Ei.^rM Vfe-ife 

T5Z4K iPfiloacfcr 

12 844K The Interactive Dis. 
69 704 K 

2 60S K Sysinternals Proces 



Isage: 1.31% Commit Charge: 49.12% Processes: 22 Physical Usage: 79.91% 

p+numuurufhryyLiui.Luri.j 



lpNumberOFFreeClusters 
[bp+uar_C8] 

lpBytesPerSector 
ibp+Sec tor sPer Cluster] 

IpSectorsPerCluster 
' aSicwsuuela ; ■ UMM\ 
TskFreeSpaceA 



HI 



1TI 
Decin 



rebD+NumberOFFreeClust 



F8 52 8D 55 EC 

15 15 79 43 00 

9 C9 C2 Bit 00 01 

19 m 4R mi rh 



.yC.a2rlriq2u R2Uy 
R^EePh|xC. ..yC. 
•Lt.U'051z..-T... 
"* ™ i ht u r. 



E E 2 7 : Software b r e ak p o i n t ex c e p t i o n ( ex c . c o d e S 3 , 
id 243) 

I7C8108E6: thread has started Ctid=l82 4} 
7C81085 6: thread has started £tid=l3l2) 
7C810856: thread has started ft:id=l892) 
7C810856: thread has started £tid=404) 
7C810856: thread has started £tid=l24l 
7C810856: thread has started Cti d=636^ 

40ES27: Software breakpoint exception ("exc.code 80000003, 
tid 248] 
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Walking over segments... 




Or 



004u^ 
0040E57^ 
0B40E573 [ 
0040E578 cal 
0040E 57E or 
start+27 



^]DPCs 
B H] System 
ElHsmss.eHe 
□ csrss.exe 
B £ winlogon.exe 
- |services.exe 

$Si VBoxService.exe 

"jsvchost.exe 

jsvchost.exe 

- |svchost.exe 

****** 
Qfe«l 

r^idag.exe 

. : e19a3ee2f2dd73993265L 
procexp.exe 



PIP | CPLlT Private Bytes Working Set Description 



1048 
l£3£ 
■ 112 

I IB 

!BM 
■3D 

IW 



OK 
OK 
164 K 
1 572 K 
7 48BK 
3 492K 
1 232 K 

3 244K 
1940K 

24 784 K 
1Q5&K. 

4 our. 
i* ■>:■:" ■ 

f 3»K 

48 260 K 
7210BK 
6 300K 
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K Deferred Procedure 

76 K 

84 K Menedzer sesji Win 
1 076 K Client Server Runtir^- 
3 1 96 K Aplikacja logowani^l 
1 664 K Ustugi i aplikacja K 
1 380 KVirtualBox Guest Ac 
1 556 K Generic Host Proce 
1 700 K Generic Host Proce 
K Generic Host Proce 

QRK K WinHr,m? <>§(;m|jhj (. 

1 ."4 h I 'jt. • t+i |l qw*:V 
907JK E*.*fa*ttVfrito 
1Q»KVi H « t c*Gur**t 



1 2 844 K The interactive Dis. 
69 704 K 

2 GD8 K Sysinternais Proces 



Jsage: 1.31% Commit Charge: 49.12% Processes: 22 Physical Usage: 79.91% 

p+nuwuurun-ruyL±ui.Luri>j 



lpNumberOFFreeClusters 
[bp+uar_C8] 

lpBytesPerSector 
ibp+Sec tor sPer Cluster] 

IpSectorsPerCluster 
' aSicwsuuela ; " HHIHTE 
ffskFreeSpacefl 



HI 



r e b d + Nu mb e r F FreeClust 



F8 52 8D 55 EC 

15 15 79 43 00 

9 C9 C2 04 00 01 

49 m tR nn rh 



.yC.a2rlriq2u R2Uy 
R^EePh|xC. ..yC. 
•Lt.UflS1z..-T... 
-"*-n»- -I -CT _K.C 






c.code 80000003, ^J 



4 E E 2 7 : So ft war e b r e ak p ■ 

tid 248^ 

7C8108S6: thread has started Ctid=l82 4] 

7C81085 6: thread has started £tid=l3l2) 

7C810856: thread has started ft:id=l892) 

7C810856: thread has started £tid=404) 

7C810856: thread has started £tid=l24") 

7C810856: thread has started £tid=636) 

4 E 5 2 7 : S o ft war e b r e ak p o i n t ex c: e p t i a n f ex c . c o d e 8 3 , 

tid 248) 

finCEfg- Tha inrtrurtinn at nvfincg-?a rafaranraH mamnru at 
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Killing the OS... 




^]DPCs 
B ^ System 

BQ smssexe 
□ csrss.exe 
B £ winlogon.exe 
- | services, sue 

^ VBoxService.exe 
Qsvchost.exe 
3 svchost.exe 
- | svchost.exe 

r. L i.^.— - 

h(^idag.exe 

] ' ||e19a3ee2f2dd73993265f.. 
procexp.exe 



PIP | CPLlT Private Bytes Working Set Description 



95G 
1048 
1£3£ 

1112 
IIS 

■ ..: 

IW 

el 

IrSTt DS 

r«4 



OK 
OK 
1G4K 
1 572 K 
7 48BK 
3 492K 
1 232 K 

3 244K 
1940K 

24 784 K 

15Wlt 

320DE 
I*" 

4 0Uf. 



T Jt»F 

4B 260 K 
72 108 K 
G300K 



K Deferred Procedure 

76 K 

84 K Menedzer sesji Win 
1 076 K Client Server Runti ri 
3 1 96 K Aplikacja logowani; 
1 664 K Ustugi i aplikacja K 
1 380 KVirtualBox Guest Ac 
1 55G K Generic Host Proce 
1 700 K Generic Host Proce 

11 823 K Generic Host Proce 

1 ?U K I. '.J. i^-K^MHV 

1 Kit Ei.^rM Write 

r#^r iPfiloacfcr 

12 844K The Interactive Dis. 
69 704 K 

2 60S K Sysinternals Proces 



Isage: 1.31% Commit Charge: 49.12% Processes: 22 Physical Usage: 79.91% 

p+nuiiiuurun-ruyLiu^Lur^j 



lpNumberOFFreeClusters 
[bp+uar_C8] 

lpBytesPerSector 
ibp+Sec tor sPer Cluster] 

IpSectorsPerCluster 
' aSicwsuuela ; ■ M.ffl! 
TskFreeSpaceA 



HI 



1TI 
Decin 



TebD+NunberOfFreeClust 



F8 52 8D 55 EC 

15 15 79 43 00 

9 C9 C2 Bit 00 01 

19 H9 tR mi RH 



.yC.a2Mriq2u°R2UiJ 
R^EePh|xC. ..yC. 
•Lt.UflS1z..-T... 
"* ™ i ht k n 



E E 2 7 : Software b r e ak p o i n t ex c e p t i o n ( ex c . c o d e S 3 , 
id 248) 

I7C8108E6: thread has started Ctid=l82 4} 
7C81085 6: thread has started £tid=l3l2) 
7C810856: thread has started ft:id=l892l 
7C810856: thread has started Ctid=404] 
7C810856: thread has started £tid=l24l 
7C810856: thread has started £tid=636) 

40EE27: Software breakpoint exception ("exc.code 80000003, 
tid 248] 
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Summary 



Expect problems analysing malware 
Expect more problems analysing malware 
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